Overview of AWS Authentication, Authorisation, and Access Control
Authentication
Comprised of 2 parts of information.
- Who you are?
Presenting your identity (login username). Unique value within the system we are trying to authenticate to.
- Verify you are who you say you are. Passwords, MFA, etc. This does not have to be unique.
We may use credit card pin numbers for authentication. Identity = credit card, verify = pin number.
Authorisation
Happens before authentication.
System in which we have authenticated to establishes what level of privileges we can access.
IAM defines what we can access in AWS. Each identity can have a different authorisation profile attached to it.
What we can access once we have authenticated to a system.
Access Control
Mechanism of accessing a secured resource.
- MFA
- Username / password
Access Control is about the process of how a resource is granted.
Not always related to humans, can be machine only (such as IAM roles).
Federation - access to non-AWS users.
Network access control lists (network layer) and restricts data depending on network parameters.
Security groups are NACLs but at the instance level.